A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data.

20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriott, Hyatt, and Intercontinental may have leaked the financial data of customers due to malware installed at PoS terminals and systems, including at bars, restaurants, spas, and shops.

Hotel properties in cities including San Francisco, Chicago, Arlington, and Washington DC were included in the data breach. Malware was active at different stages depending on the property, but customer data was exposed between 2015 and 2016.

HEI says that customer data including names, payment card account numbers, card expiration dates, and verification codes may have been captured by the malware.

However, the company insists that the firm does not store credit card numbers; rather, it is believed the malware captured this data as it was recorded in real-time at PoS terminals.

"We take this matter and the security of personal information very seriously and we will continue to review and enhance our security measures to further secure our systems," the firm said. "Please accept our sincere regret for any concern or frustration that this incident may cause."

According to Reuters, the malware was discovered in June this year. However, HEI spokesman Chris Daly told the news agency that it is difficult to calculate the number of affected customers as they may have used their cards more than once.

In a statement, HEI said the breach has now been contained and the company plans to bolster its data security to lessen the risk of such cyberattacks taking place again. Law enforcement has been notified and the company is in the process of installing a new payment processing system which is separate from the main, core computer network.

Those who have stayed at these resorts will have to contact the hotel operator themselves if they believe their data is being used fraudulently due to the breach, as HEI says not enough information is stored to locate past customers.

Customers can call a free number for advice, but no free credit monitoring -- which has become something of a staple after a data breach involving customers -- is yet on offer.

You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.

You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.

By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.